Information security of the company and the security of our users' data is a top priority for us, therefore Interkassa launched a contest to find vulnerabilities and pay rewards for them. To participate in the contest, you must agree and follow the rules described in this policy. You must be the first to report a vulnerability to receive a reward. You must send a clear textual description of the work done, along with steps to reproduce the vulnerability. After sending an error message about it, you can not tell anyone or anywhere. Also, please do not store screenshots and / or executable codes and scripts related to the vulnerability discovered on publicly available services and resources so that the information is not available to third parties.
In the web services and interkassa web applications that store or process personal information of users. Personal information is, for example, logins and passwords, correspondence, order history and payment.
We do not reward vulnerabilities for next url for this moment:
Vulnerabilities are critical gaps and technical flaws in systems that can violate the integrity, availability or confidentiality of user’s information, as well as change access rights to it.
We are interested in next web vulnerabilities:
You can submit a report via the special form of Hackenproof platform: it helps the triage team to process the information and respond faster to you.
We want to see in the vulnerability report: (when preparing a report, stick to this list of fields)
The size of the awards depends on priority of vulnerability and are the next:
Severity (CVSSv3) | Reward
Critical | 9254 HKN
High | 3084 HKN
Medium | 1542 HKN
Low | not rewarded
In special cases, the size of the award can be increased if the researchers demonstrate how the vulnerability can be used to inflict maximum harm.
Automated scanners that generate massive network traffic volumes and may affect system performance are prohibited. Localize all your tests to your account. Don't affect other users. Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) are not allowed. In case you find chain vulnerabilities we pay only for vulnerability with the highest severity. It’s forbidden to perform DoS / DDoS on resources in the Scope. Follow disclosure guidelines.
In general, the following vulnerabilities do not correspond to the severity threshold: This section contains problems that are not accepted in this competition, because they are malicious and / or because they have a low impact on security.
Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
Certificates/TLS/SSL related issues
DNS issues (i.e. mx records, SPF records, etc.)
Server configuration issues (i.e., open ports, TLS, etc.)
Will make a best effort to meet the following SLAs for researchers who is participating in our program:
SLA | Plan
Time to first response (from report submit) | 3 day
Time to triage (from report submit) | 7 days
Time to bounty (from triage) | 1 month
We’ll try to keep you informed about our progress throughout the process.